US10003606B2ActiveUtilityA1

Systems and methods for detecting security threats

81
Assignee: SYMANTEC CORPPriority: Mar 30, 2016Filed: Mar 30, 2016Granted: Jun 19, 2018
Est. expiryMar 30, 2036(~9.7 yrs left)· nominal 20-yr term from priority
H04L 63/1425G06F 2201/86H04L 63/1416G06F 21/554G06F 16/11
81
PatentIndex Score
4
Cited by
50
References
20
Claims

Abstract

The disclosed computer-implemented method for detecting security threats may include (1) detecting, by a software security program, a security incident at a client device such that the software security program generates a signature report to identify the security incident, (2) querying an association database with the signature report to deduce another signature report that a different software security program would have predictably generated at the client device, the different software security program having been unavailable at the client device at a time of detecting the security incident, and (3) performing at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database. Various other methods, systems, and computer-readable media are also disclosed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method for detecting security threats, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
 detecting, by a software security product, a security incident at a client device such that the software security product generates a signature report to identify the security incident; 
 querying an association database with the signature report to deduce another signature report that a different software security product would have predictably generated at the client device, the different software security product having been unavailable at the client device at a time of detecting the security incident; and 
 performing at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database, wherein: 
 the protective action comprises:
 revising a security incident report to include information about the other signature report as a phantom event to provide context for the security incident; and 
 prompting a user to perform an action that is tailored to the other signature report, the action comprising at least one of:
 updating an antivirus signature set; 
 executing an inoculation script; 
 enabling a security setting; and 
 disabling a hardware, virtual, and/or network computing resource; and 
 
 
 the other signature report satisfies a statistical threshold of correlation with the signature report that was actually generated. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein the association database is constructed according to an association rule mining algorithm. 
     
     
       3. The computer-implemented method of  claim 2 , wherein the association rule mining algorithm identifies a group of at least two signature reports that occur together beyond a threshold frequency. 
     
     
       4. The computer-implemented method of  claim 1 , wherein deducing the other signature report comprises deducing at least two signature reports. 
     
     
       5. The computer-implemented method of  claim 4 , further comprising filtering at least one signature report of the at least two signature reports based on a determination that the at least one signature report indicates a security compromise. 
     
     
       6. The computer-implemented method of  claim 5 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that the signature report is associated disproportionately with security compromise situations according to a statistical measurement. 
     
     
       7. The computer-implemented method of  claim 5 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that an automated measurement of confidence in the signature report indicating a security compromise satisfies a confidence threshold. 
     
     
       8. The computer-implemented method of  claim 1 , wherein deducing the other signature report comprises inferring an attribute of the security incident. 
     
     
       9. The computer-implemented method of  claim 8 , wherein the attribute comprises at least one of:
 a file identifier for a file that caused the security incident; 
 a uniform resource locator for a web location that caused the security incident; and 
 an Internet Protocol address for a web location that caused the security incident. 
 
     
     
       10. The computer-implemented method of  claim 8 , further comprising:
 measuring a degree of confidence that the inferring of the attribute is correct; and 
 determining that the measured degree of confidence satisfies a confidence threshold. 
 
     
     
       11. A system for detecting security threats, the system comprising:
 a detection module, stored in memory, that detects, as part of a software security product, a security incident at a client device such that the software security product generates a signature report to identify the security incident; 
 a querying module, stored in memory, that queries an association database with the signature report to deduce another signature report that a different software security product would have predictably generated at the client device, the different software security product having been unavailable at the client device at a time of detecting the security incident; 
 a performance module, stored in memory, that performs at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database; and 
 at least one physical processor configured to execute the detection module, the querying module, and the performance module, wherein: 
 the protective action comprises:
 revising a security incident report to include information about the other signature report as a phantom event to provide context for the security incident; and 
 prompting a user to perform an action that is tailored to the other signature report, the action comprising at least one of:
 updating an antivirus signature set; 
 executing an inoculation script; 
 enabling a security setting; and 
 disabling a hardware, virtual, and/or network computing resource; and 
 
 
 the other signature report satisfies a statistical threshold of correlation with the signature report that was actually generated. 
 
     
     
       12. The system of  claim 11 , wherein the association database is constructed according to an association rule mining algorithm. 
     
     
       13. The system of  claim 12 , wherein the association rule mining algorithm identifies a group of at least two signature reports that occur together beyond a threshold frequency. 
     
     
       14. The system of  claim 11 , wherein the querying module deduces the other signature report by deducing at least two signature reports. 
     
     
       15. The system of  claim 14 , wherein the querying module filters at least one signature report of the at least two signature reports based on a determination that the at least one signature report indicates a security compromise. 
     
     
       16. The system of  claim 15 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that the signature report is associated disproportionately with security compromise situations according to a statistical measurement. 
     
     
       17. The system of  claim 15 , wherein the determination that the at least one signature report indicates a security compromise comprises a determination that an automated measurement of confidence in the signature report indicating a security compromise satisfies a confidence threshold. 
     
     
       18. The system of  claim 11 , wherein the querying module deduces the other signature report by inferring an attribute of the security incident. 
     
     
       19. The system of  claim 18 , wherein the attribute comprises at least one of:
 a file identifier for a file that caused the security incident; 
 a uniform resource locator for a web location that caused the security incident; and 
 an Internet Protocol address for a web location that caused the security incident. 
 
     
     
       20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
 detect, by a software security product, a security incident at a client device such that the software security product generates a signature report to identify the security incident; 
 query an association database with the signature report to deduce another signature report that a different software security product would have predictably generated at the client device, the different software security product having been unavailable at the client device at a time of detecting the security incident; and 
 perform at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database, wherein: 
 the protective action comprises:
 revising a security incident report to include information about the other signature report as a phantom event to provide context for the security incident; and 
 prompting a user to perform an action that is tailored to the other signature report, the action comprising at least one of:
 updating an antivirus signature set; 
 executing an inoculation script; 
 enabling a security setting; and 
 disabling a hardware, virtual, and/or network computing resource; and 
 
 
 the other signature report satisfies a statistical threshold of correlation with the signature report that was actually generated.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.